This is a bug in postfix. Temporary failures in the DNS are not supposed to result in permanent failure at the SMTP level. SERVFAIL is not NXDOMAIN.
-- Mark Andrews > On 26 Mar 2021, at 04:12, Julien Salort <lis...@salort.eu> wrote: > > Hello, > > > I have a VPS running postfix and bind9. Bind is used as a recursive resolver, > in particular to be able to query anti-spam database. > > Postfix is also configured to reject incoming connections from servers with > no reverse dns. > > It works great overall, but sometimes legitimate messages get rejected > because the reverse dns query fails. > > Here is an example (anonymized email and host address): > > In mail.log: > > 450 4.7.1 Client host rejected: cannot find your reverse hostname, > [17.179.250.111]; from=<developer_boun...@insideapple.apple.com> > to=<x...@example.com> proto=ESMTP helo=<rn2-msbadger07105.apple.com> (total: > 1) > > In named journal: > > mars 02 01:14:20 example.com named[2756114]: client @0x7f3a0808c750 > 127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query: > 111.250.179.17.in-addr.arpa IN PTR +E(0) (127.0.0.1) > > mars 02 01:14:25 example.com named[2756114]: client @0x7f3a08079d00 > 127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query: > 111.250.179.17.in-addr.arpa IN PTR +E(0) (127.0.0.1) > > mars 02 01:14:32 example.com named[2756114]: client @0x7f3a0808c750 > 127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query failed (timed out) for > 111.250.179.17.in-addr.arpa/IN/PTR at query.c:6883 > > mars 02 01:14:32 example.com named[2756114]: client @0x7f3a000d5110 > 127.0.0.1#49520 (insideapple.apple.com): query: insideapple.apple.com IN MX + > (127.0.0.1) > > > So there is a timeout. > > Now if I try again: > > $ dig -x 17.179.250.111 @localhost +short > rn2-msbadger07105.apple.com. > > > So it seems that it is just that sometimes the query takes a bit longer... > > > Is there a general advice regarding timeout for bind? > > Should I just choose a longer timeout? Or is there a reason for the default > value? > > > I did not have such problems when I was using the ISP dns server instead of a > local recursive resolver. So I was wondering if the configuration is > sub-optimal somehow... > > > Thank you, > > > Cheers, > > > Julien > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
